Use of secure insert multiple operation within import set API [New in Security Center 1.3]

Use the com.glide.import_set_api.insert_multiple_optimize property to control whether GlideRecordSecure or GlideRecord is used for the Insert Multiple operation within the Import Set API.

If com.glide.import_set_api.insert_multiple_optimize is set to the recommended value of false, then GlideRecordSecure will be used to insert records, and table-level access control lists (ACLs) will be evaluated. If this property is set to true, GlideRecord will be used to insert records, and table-level ACLs will not be evaluated; In addition, you must ensure that Import Set API Insert Multiple REST Endpoint ACL (sys_id: 3101b770ff2211105cf343d0653bf182) is active and that users have the role, import_transformer.

More information

Attribute Description
Configuration name com.glide.import_set_api.insert_multiple_optimize
Configuration type System Properties (/sys_properties_list.do)
Data type Boolean
Recommended value false
Default value false
Category Access control
Security risk
  • Severity score: 6.5
  • CVSS score: Medium
  • Security risk details: If this property is not set to false, a low-privileged user could insert data into tables outside the scope of their privileged roles.
Revertible behavior Both safe override and No DB Override.
Dependencies and prerequisites None
Functional impact This property optimizes the performance of Import Set API by using GlideRecord to save data. When the parameter is set, it requires an integration user to have the import_transformer role to access the API.
References https://developer.servicenow.com/blog.do?p=/post/gliderecord-vs-gliderecordsecure